Cyberhaven’s preliminary analysis of the recent malicious Chrome extension
Essential information
- Published
- 02/01/2025 15:28
- Modified
- 02/01/2025 15:31
- Tags
- 2025-01-02 chrome extension command and control data exfiltration facebook ads oauth phishing
- Related entities
- 5 observables, 8 techniques (mitre)
Description
A phishing attack on December 24th, 2024 compromised a Cyberhaven employee's access to the Google Chrome Web Store, leading to the publication of a malicious version of their Chrome extension. This was part of a larger campaign targeting Chrome Extension developers, primarily aiming at Facebook Ads accounts. The attack involved a phishing email and a malicious OAUTH Google application. The malicious extension collected user data from Facebook.com, including access tokens, user IDs, account information, and ad account details. The data was then exfiltrated to a command and control server. The attack appears to be non-targeted and part of a wider campaign affecting multiple companies.